feat: added ability to disable FRP for HaRP<-->ExApp communication. (#555)

Signed-off-by: Oleksander Piskun <oleksandr2088@icloud.com>
Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com>
Signed-off-by: nextcloud-command <nextcloud-command@users.noreply.github.com>
Co-authored-by: Andrey Borysenko <andrey18106x@gmail.com>
Co-authored-by: nextcloud-command <nextcloud-command@users.noreply.github.com>

Author: 3 people

js/app_api-adminSettings.js

@@ -48,6 +48,7 @@ protected function configure(): void {
 		$this->addOption('harp_frp_address', null, InputOption::VALUE_REQUIRED, '[host]:[port] of the HaRP FRP server, default host is same as HaRP host and port is 8782');
 		$this->addOption('harp_shared_key', null, InputOption::VALUE_REQUIRED, 'HaRP shared key for secure communication between HaRP and AppAPI');
 		$this->addOption('harp_docker_socket_port', null, InputOption::VALUE_REQUIRED, '\'remotePort\' of the FRP client of the remote docker socket proxy. There is one included in the harp container so this can be skipped for default setups.', '24000');
+		$this->addOption('harp_exapp_direct', null, InputOption::VALUE_NONE, 'Flag for the advanced setups only. Disables the FRP tunnel between ExApps and HaRP.');
 
 		$this->addUsage('harp_proxy_docker "Harp Proxy (Docker)" "docker-install" "http" "appapi-harp:8780" "http://nextcloud.local" --net nextcloud --harp --harp_frp_address "appapi-harp:8782" --harp_shared_key "some_very_secure_password" --set-default --compute_device=cuda');
 		$this->addUsage('harp_proxy_host "Harp Proxy (Host)" "docker-install" "http" "localhost:8780" "http://nextcloud.local" --harp --harp_frp_address "localhost:8782" --harp_shared_key "some_very_secure_password" --set-default --compute_device=cuda');
@@ -104,6 +105,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int
 			$deployConfig['harp'] = [
 				'frp_address' => $input->getOption('harp_frp_address') ?? '',
 				'docker_socket_port' => $input->getOption('harp_docker_socket_port'),
+				'exapp_direct' => (bool)$input->getOption('harp_exapp_direct'),
 			];
 		}
 

js/app_api-adminSettings.js.map

@@ -11,15 +11,13 @@
 
 use OCA\AppAPI\AppInfo\Application;
 use OCA\AppAPI\Db\ExApp;
-use OCA\AppAPI\Service\DaemonConfigService;
 use OCA\AppAPI\Service\ExAppService;
 use OCA\AppAPI\Service\HarpService;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\DataResponse;
-use OCP\IAppConfig;
 use OCP\IGroupManager;
 use OCP\IRequest;
 use OCP\IUserManager;
@@ -32,15 +30,14 @@ class HarpController extends Controller {
 
 	public function __construct(
 		IRequest                             $request,
-		private readonly IAppConfig          $appConfig,
 		private readonly ExAppService        $exAppService,
 		private readonly LoggerInterface     $logger,
 		private readonly IThrottler          $throttler,
 		private readonly IUserManager        $userManager,
 		private readonly IGroupManager       $groupManager,
-		private readonly DaemonConfigService $daemonConfigService,
 		private readonly ICrypto             $crypto,
 		private readonly ?string             $userId,
+		private readonly HarpService		 $harpService,
 	) {
 		parent::__construct(Application::APP_ID, $request);
 
@@ -88,7 +85,7 @@ public function getExAppMetadata(string $appId): DataResponse {
 			return new DataResponse(['message' => 'Harp shared key is not valid'], Http::STATUS_UNAUTHORIZED);
 		}
 
-		return new DataResponse(HarpService::getHarpExApp($exApp));
+		return new DataResponse($this->harpService->getHarpExApp($exApp));
 	}
 
 	protected function isUserEnabled(string $userId): bool {

lib/Command/Daemon/RegisterDaemon.php

@@ -37,6 +37,7 @@ class DockerActions implements IDeployActions {
 	public const EX_APP_CONTAINER_PREFIX = 'nc_app_';
 	public const APP_API_HAPROXY_USER = 'app_api_haproxy_user';
 	public const FRP_TARGET_DIR = '/certs/frp';
+	public const DEPLOY_ID = 'docker-install';
 
 	private Client $guzzleClient;
 	private bool $useSocket = false;  # for `pullImage` function, to detect can be stream used or not.
@@ -59,7 +60,7 @@ public function __construct(
 	}
 
 	public function getAcceptsDeployId(): string {
-		return 'docker-install';
+		return self::DEPLOY_ID;
 	}
 
 	public function deployExApp(ExApp $exApp, DaemonConfig $daemonConfig, array $params = []): string {
@@ -177,7 +178,11 @@ private function installParsedCertificates(string $dockerUrl, string $containerI
 	}
 
 	private function installFRPCertificates(DaemonConfig $daemonConfig, string $dockerUrl, string $containerId, string $targetDir): void {
-		if (!HarpService::isHarp($daemonConfig->getDeployConfig())) {
+		$deployConfig = $daemonConfig->getDeployConfig();
+		if (!HarpService::isHarp($deployConfig)) {
+			return;
+		}
+		if (HarpService::isHarpDirectConnect($deployConfig)) {
 			return;
 		}
 		$certificates = $this->harpService->getFrpCertificates($daemonConfig);
@@ -186,7 +191,7 @@ private function installFRPCertificates(DaemonConfig $daemonConfig, string $dock
 			return;
 		}
 		$tempDir = sys_get_temp_dir();
-		$this->executeCommandInContainer($dockerUrl, $containerId, ['mkdir', '-p', self::FRP_TARGET_DIR]);
+		$this->executeCommandInContainer($dockerUrl, $containerId, ['mkdir', '-p', $targetDir]);
 
 		foreach (['ca_crt', 'client_crt', 'client_key'] as $key) {
 			$filename = str_replace('_', '.', $key);
@@ -704,7 +709,7 @@ public function buildDeployParams(DaemonConfig $daemonConfig, array $appInfo): a
 		];
 
 		$harpEnvVars = [];
-		if (isset($deployConfig['harp'])) {
+		if (isset($deployConfig['harp']) && !HarpService::isHarpDirectConnect($daemonConfig->getDeployConfig())) {
 			$harpEnvVars['HP_FRP_ADDRESS'] = explode(':', $deployConfig['harp']['frp_address'])[0];
 			$harpEnvVars['HP_FRP_PORT'] = explode(':', $deployConfig['harp']['frp_address'])[1];
 			$harpEnvVars['HP_SHARED_KEY'] = $this->crypto->decrypt($deployConfig['haproxy_password']);

lib/Controller/HarpController.php

@@ -18,13 +18,15 @@
  */
 class ManualActions implements IDeployActions {
 
+	public const DEPLOY_ID = 'manual-install';
+
 	public function __construct(
 		private readonly ExAppService		 $exAppService,
 	) {
 	}
 
 	public function getAcceptsDeployId(): string {
-		return 'manual-install';
+		return self::DEPLOY_ID;
 	}
 
 	public function deployExApp(ExApp $exApp, DaemonConfig $daemonConfig, array $params = []): string {

lib/DeployActions/DockerActions.php

@@ -13,14 +13,11 @@
 use OCA\AppAPI\Db\ExApp;
 use OCP\App\IAppManager;
 use OCP\IRequest;
-use Psr\Log\LoggerInterface;
 
 class AppAPICommonService {
 
 	public function __construct(
 		private readonly IAppManager         $appManager,
-		private readonly DaemonConfigService $daemonConfigService,
-		private readonly LoggerInterface     $logger,
 		private readonly HarpService         $harpService,
 	) {
 	}
@@ -36,15 +33,16 @@ public function buildAppAPIAuthHeaders(?IRequest $request, ?string $userId, ExAp
 
 		if ($this->harpService->isHarp($exApp->getDeployConfig())) {
 			$harpKey = $this->harpService->getHarpSharedKey($exApp->getDeployConfig());
-			$headers['HARP-SHARED-KEY'] = $harpKey;
-			$headers['EX-APP-PORT'] = $exApp->getPort();
+			$headers['harp-shared-key'] = $harpKey;
+			$headers['ex-app-port'] = $exApp->getPort();
+			$headers['ex-app-host'] = $this->harpService->getExAppHost($exApp);
 		}
 
 		return $headers;
 	}
 
 	public function buildExAppHost(array $deployConfig): string {
-		if (boolval($deployConfig['harp'] ?? false)) {
+		if (($deployConfig['harp'] ?? false) && !HarpService::isHarpDirectConnect($deployConfig)) {
 			return '127.0.0.1';
 		}
 		if (isset($deployConfig['additional_options']['OVERRIDE_APP_HOST'])) {

lib/DeployActions/ManualActions.php

@@ -12,6 +12,7 @@
 use OCA\AppAPI\Db\DaemonConfig;
 use OCA\AppAPI\Db\DaemonConfigMapper;
 
+use OCA\AppAPI\DeployActions\ManualActions;
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Db\MultipleObjectsReturnedException;
 use OCP\DB\Exception;
@@ -31,6 +32,10 @@ public function __construct(
 	}
 
 	public function registerDaemonConfig(array $params): ?DaemonConfig {
+		if (!isset($params['deploy_config']['net'])) {
+			$this->logger->error('Failed to register daemon configuration: `net` key should be present in the deploy config.');
+			return null;
+		}
 		$bad_patterns = ['http', 'https', 'tcp', 'udp', 'ssh'];
 		$docker_host = (string)$params['host'];
 		$frp_host = (string)($params['harp']['frp_address'] ?? '');
@@ -45,9 +50,15 @@ public function registerDaemonConfig(array $params): ?DaemonConfig {
 			}
 		}
 		if ($params['protocol'] !== 'http' && $params['protocol'] !== 'https') {
-			$this->logger->error('Failed to register daemon configuration. `protocol` must be `http` or `https`.');
+			$this->logger->error('Failed to register daemon configuration: `protocol` must be `http` or `https`.');
 			return null;
 		}
+		if ($params['accepts_deploy_id'] !== ManualActions::DEPLOY_ID && isset($params['deploy_config']['harp']['exapp_direct']) && $params['deploy_config']['harp']['exapp_direct'] === true) {
+			if ($params['deploy_config']['net'] === 'host') {
+				$this->logger->error('Failed to register daemon configuration: setting `net=host` in HaRP is not supported when communication with ExApps is done directly without FRP.');
+				return null;
+			}
+		}
 		$params['deploy_config']['nextcloud_url'] = rtrim($params['deploy_config']['nextcloud_url'], '/');
 		try {
 			if (isset($params['deploy_config']['haproxy_password']) && $params['deploy_config']['haproxy_password'] !== '') {

lib/Service/AppAPICommonService.php

@@ -13,6 +13,7 @@
 use GuzzleHttp\Exception\ClientException;
 use OCA\AppAPI\Db\DaemonConfig;
 use OCA\AppAPI\Db\ExApp;
+use OCA\AppAPI\DeployActions\ManualActions;
 use OCP\ICertificateManager;
 use OCP\IConfig;
 use OCP\Security\ICrypto;
@@ -26,8 +27,6 @@ public function __construct(
 		private readonly IConfig             $config,
 		private readonly ICertificateManager $certificateManager,
 		private readonly ICrypto             $crypto,
-		private readonly ExAppService        $exAppService,
-		private readonly DaemonConfigService $daemonConfigService,
 	) {
 	}
 
@@ -70,7 +69,7 @@ protected function initGuzzleClient(DaemonConfig $daemonConfig): void {
 		}
 
 		$harpKey = $this->crypto->decrypt($daemonConfig->getDeployConfig()['haproxy_password']);
-		if (boolval($daemonConfig->getDeployConfig()['harp'] ?? false)) {
+		if ($daemonConfig->getDeployConfig()['harp'] ?? false) {
 			$guzzleParams['headers'] = [
 				'harp-shared-key' => $harpKey,
 			];
@@ -88,10 +87,33 @@ public static function isHarp(array $deployConfig): bool {
 		return boolval($deployConfig['harp'] ?? false);
 	}
 
-	public static function getHarpExApp(ExApp $exApp): array {
+	public static function isHarpDirectConnect(array $deployConfig): bool {
+		return isset($deployConfig['harp']['exapp_direct']) && $deployConfig['harp']['exapp_direct'] === true;
+	}
+
+	public static function getExAppHost(ExApp $exApp): string {
+		$deployConfig = $exApp->getDeployConfig();
+		if (HarpService::isHarpDirectConnect($deployConfig)) {
+			if (isset($deployConfig['additional_options']['OVERRIDE_APP_HOST']) &&
+				$deployConfig['additional_options']['OVERRIDE_APP_HOST'] !== ''
+			) {
+				$wideNetworkAddresses = ['0.0.0.0', '127.0.0.1', '::', '::1'];
+				if (!in_array($deployConfig['additional_options']['OVERRIDE_APP_HOST'], $wideNetworkAddresses)) {
+					return $deployConfig['additional_options']['OVERRIDE_APP_HOST'];
+				}
+			}
+			if ($exApp->getAcceptsDeployId() !== ManualActions::DEPLOY_ID) {
+				return $exApp->getAppid();
+			}
+		}
+		return "127.0.0.1";
+	}
+
+	public function getHarpExApp(ExApp $exApp): array {
 		return [
 			'exapp_token' => $exApp->getSecret(),
 			'exapp_version' => $exApp->getVersion(),
+			'host' => $this->getExAppHost($exApp),
 			'port' => $exApp->getPort(),
 			'routes' => array_map(function ($route) {
 				$bruteforceList = json_decode($route['bruteforce_protection'], true);
@@ -120,7 +142,7 @@ public function harpExAppUpdate(DaemonConfig $daemonConfig, ExApp $exApp, bool $
 		try {
 			if ($added) {
 				$this->guzzleClient->post($url, [
-					'json' => self::getHarpExApp($exApp),
+					'json' => $this->getHarpExApp($exApp),
 				]);
 			} else {
 				$this->guzzleClient->delete($url);

lib/Service/DaemonConfigService.php

@@ -20,6 +20,7 @@
 				<p><b>{{ t('app_api', 'Name') }}: </b>{{ daemon.name }}</p>
 				<p><b>{{ t('app_api', 'Protocol') }}: </b>{{ daemon.protocol }}</p>
 				<p><b>{{ t('app_api', 'Host') }}: </b>{{ daemon.host }}</p>
+				<p v-if="daemon.deploy_config.harp"><b>{{ t('app_api', 'ExApp direct communication (FRP disabled)') }}: </b>{{ daemon.deploy_config.harp.exapp_direct ?? false }}</p>
 
 				<h3>{{ t('app_api', 'Deploy config') }}</h3>
 				<p><b>{{ t('app_api', 'Docker network') }}: </b>{{ daemon.deploy_config.net }}</p>